From owner-freebsd-questions@FreeBSD.ORG Sun Nov 15 19:41:20 2009 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C7ED106566B for ; Sun, 15 Nov 2009 19:41:20 +0000 (UTC) (envelope-from bf1783@googlemail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id 298628FC08 for ; Sun, 15 Nov 2009 19:41:19 +0000 (UTC) Received: by fxm27 with SMTP id 27so5315099fxm.3 for ; Sun, 15 Nov 2009 11:41:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=fWP+JOjBUUh0ZyDiTh4q4jxZDzOU/QpjtM32T48TpEk=; b=TCbWzk6YKyhrsY9j0ziIQkEskoMQgpqaoACNd6DG9AvjutySLnRUO1s5GcvuR2AFIf 5giSJ33K3PifiMw0WwM0qLQoaIfDD/YHRdvKsUlWKdEa3rJd49aWPSp2zcSehll5OjBF wOj+RLw23w/qdaqZ0y/p680KNhQzjd4SB7P7o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=FNU7oXXBC+WP+I7ptBhVa6Fj9Kl+r1uA7G3HTBYdCcqWBYBDdCpshsH75th4QXV+AL RGjwnGutZFhHd83fEEfNi4X0RcLb+Gy1ya4q4NdEdKYMgZo36kuwCXkJ5Spj6Fgt9Q9i FwX0NL/wq72lCxU/B3/BG0gcHxVSCNiyVNp2M= MIME-Version: 1.0 Received: by 10.216.93.74 with SMTP id k52mr873763wef.144.1258314078272; Sun, 15 Nov 2009 11:41:18 -0800 (PST) In-Reply-To: <4B002741.4000403@telting.org> References: <4B002741.4000403@telting.org> Date: Sun, 15 Nov 2009 19:41:18 +0000 Message-ID: From: "b. f." To: Chris Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@FreeBSD.org Subject: Re: Produce identical packages for checksum comparison? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Nov 2009 19:41:21 -0000 On 11/15/09, Chris wrote: > b. f. wrote: >> Chris wrote: ... >> Even if you edited your >> filesystem or archives to change the timestamps of package files, the >> > I think that could be accomplished though the port makefiles. I think that the exact reproduction of whole archives will be problematic, unless you have a means of changing the ctime of the binaries that have been built to a predetermined value. >> toolchain used to create the binary files in packages often injects >> random seeds, timestamps, file paths, uid/gid information, etc. that >> > I can understand file paths with debug info. Timestamps? Ok sure for a > timestamp file being generated during a make that auto increments version > numbers. What would change about uid/gid? I can't imagine why that > might be in the binaries. ar(1) and some of the other utilities inject this information into certain binary files. Try running 'objdump -a' on, for example, some static archive like /usr/lib/libc.a. Of course this information can be manipulated, but you have to do it. See the patches in the link I cited earlier for other examples. ... > Why would the build tools be injecting random numbers into binaries? Usually to provide some degree of uniqueness. I'm not saying that it is always done, just that it _may_ be done. See, for example, the gcc sources or the -frandom-seed option description in gcc(1). And it may not be just the compiler toolchain -- a port may do it. Occasionally, there are other sources of non-determinism. For example, in a recent thesis, a researcher who was trying to use reproducible builds to defeat a longstanding security threat found that the tcc compiler produced non-deterministic builds because of a defect in sign-extending some casts, and a problem with long double output. He also cited another researcher's finding that a certain java compiler's output was dependent upon the address of heap memory addresses used during compilation. See: http://www.dwheeler.com/trusting-trust/dissertation/wheeler-trusting-trust-ddc.pdf ... >If I concentrated on one problem at a time I would never get anything done. ?! :) b.